Skip to content
In development

UAE PDPL: the federal data protection law, explained

UAE Federal Personal Data Protection Law · United Arab Emirates

The UAE Personal Data Protection Law is the federal data protection regime for the United Arab Emirates. It follows the broad structure of GDPR — a lawful basis for processing, data subject rights, breach notification, and cross-border transfer restrictions — with its own thresholds, its own regulator, and its own exemptions.

Who it applies to

  • Organisations established in the UAE that process the personal data of data subjects inside or outside the UAE
  • Organisations outside the UAE that process the personal data of data subjects inside the UAE
  • Note that the DIFC and ADGM financial free zones operate their own separate data protection laws

What it requires

A lawful basis for processing

Consent is the default basis under the PDPL, with defined exceptions — contract necessity, legal obligation, protection of vital interests, and public interest among them.

Data subject rights

Access, correction, erasure, restriction of processing, objection, and data portability — broadly mirroring GDPR.

Breach notification

Notification to the regulator, and to affected individuals where the breach poses a risk to their privacy, security, or confidentiality.

Cross-border transfer restrictions

Transfers are permitted to jurisdictions with adequate protection, or under appropriate safeguards such as contractual clauses.

A Data Protection Officer where required

Appointment is required where processing is high-risk, involves large-scale sensitive data, or involves systematic evaluation.

Records and accountability

Controllers and processors must maintain records of processing and be able to demonstrate compliance.

Penalties

Administrative penalties are set by Cabinet decision. The practical exposure for most organisations is regulatory action and the commercial consequence of failing a customer's due diligence.

UAE PDPL support is in development

To be straight with you: RegRely runs GDPR today. UAE PDPL is not shipped yet. The underlying workflows — data subject requests, records of processing, consent, risk, and evidence — are the same across regimes, which is what makes the extension tractable rather than a rewrite.

If UAE PDPL is on your critical path, tell us your timeline and we will tell you honestly whether we can meet it.

See what ships today

Frequently asked questions

It is closely modelled on GDPR — lawful bases, data subject rights, breach notification, and transfer rules all follow the same structure — but it is not identical. Consent plays a larger role as the default basis, and the thresholds, exemptions, and regulator differ.

Yes, where they process the personal data of data subjects located inside the UAE. Establishment in the UAE is not required for the law to apply.

No. The Dubai International Financial Centre and Abu Dhabi Global Market are financial free zones with their own data protection laws, which operate separately from the federal PDPL. Companies in those zones follow the zone's regime.

Consent is the default, with defined exceptions including necessity for a contract, compliance with a legal obligation, protection of vital interests, and public interest. This makes consent management more central under the PDPL than under GDPR.